The Impact of Regulatory Compliance on Database Administration

Joe BrockertSr. Software ConsultantNEON Enterprise Software, Inc.

3

Agenda

An Overview of Government Regulations and Issues

IT Controls for Compliance

Impacts on Data and Database Management

Data Quality Long-term Data Retention Database Security Database and Data Access Auditing Controls on DBA Procedures Metadata Management

4

Compliance Continues to Exert Pressure

Increasing compliance pressure. Compliance requirements, such as Sarbanes-Oxley, HIPAA, CA SB 1386, and the Gramm-Leach-Bliley Act (GLBA), are driving interest for all enterprises to take strong security measures to protect private data. These include initiatives around data-at-rest encryption, granular auditing, intrusion detection and prevention, and end-to-end security measures.

Source: Trends 2006: Database Management Systems, Forrester Research

5

Regulatory Compliance

GLB

HIPAA

Basel II

Federal Information Security Management

Act

Sarbanes-Oxley

6

GLB: Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.

The Act consists of three sections:

The Financial Privacy Rule, which regulates the collection and disclosure of private financial information;

The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information;

and the Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses).

The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.

7

HIPAA: Health Insurance Portability and Accountability Act

The HIPAA Privacy Rule creates national standards to protect individuals' medical records and other personal health information and to give patients more control over their health information.

The Privacy Rule provides that, in general, a covered entity may not use or disclose an individual’s healthcare information without permission except for treatment, payment, or healthcare operations.

The Privacy Rule requires the average healthcare provider or health plan to do the following:

Notify patients about their privacy rights and how their information can be used.

Adopt and implement privacy procedures for its practice, hospital, or plan.

Train employees so that they understand privacy procedures.       Designate an individual to be responsible for seeing that privacy

procedures are adopted and followed.      Secure records containing individually identifiable health information

so that they are not readily available to those who do not need them.

8

BASEL II

Basel II is a round of deliberations by central bankers from around the world, under the auspices of the Basel Committee on Banking Supervision (BCBS) in Basel, Switzerland.

Goal: to produce uniformity in the way banks and banking regulators approach risk management across national borders.

The New Basel Capital Accord is about improving risk and asset management to avoid financial disasters. Basel II uses "three pillars":

1. minimum capital requirements

2. supervisory review; and

3. market discipline - to promote greater stability in the financial system.

Compliance requires all banking institutions to have sufficient assets to offset any risks they may face, represented as an eligible capital to risk aggregate ratio of 8%.

Part of this compliance dictates data capture requirements and that financial institutions must have three years of data on file by 2007.

9

FISMA: Federal Information Security Mgmt Act

The E-Government Act was passed in 2002

as a response to terrorist threats

Title III of the act is named the Federal Information Security Management Act (FISMA).

FISMA basically states that federal agencies, contractors, and any entity that supports them, must maintain security commensurate with potential risk.

Officials are graded on the potential effect a security breach would have on their operations.

10

SOX: Sarbanes-Oxley Act

The U.S. Public Accounting Reform and Investor Protection Act of 2002

“…to use the full authority of the government to expose corruption, punish wrongdoers, and defend the rights & interests of American workers & investors.”

The primary objectives of SOX:

— To strengthen and restore public confidence in corporate accountability and the accounting profession;

— To strengthen enforcement of the federal securities laws;

— To improve executive responsibility;

— To improve disclosure and financial reporting; and

— To improve the performance of “gatekeepers.”

Section 404 is the largest driver of SOX projects

— It is the most important section for IT because the processes and internal controls are implemented primarily in IT systems;

— …and much of the data is stored in a DBMS.

11

Other Regulations & Issues?

And, there are more regulations to consider, for example:

the USA Patriot Act Can SPAM Act of 2003 Telecommunications Act of 1996 The Data Quality Act

And, there are more regulations to contend with; based upon your industry, location, etc.

As well as, new regulations that will continue to be written by government and imposed over time…

Regulations have brought to light some of the personal financial information that has been compromised (stolen)

More on this later…

12

Regulatory Compliance is International

Country Examples of Regulations

Australia Commonwealth Government’s Information Exchange Steering

Committee, Evidence Act 1995, more than 80 acts governing

retention requirements

Brazil Electronic Government Programme, EU GMP Directive 1/356/EEC-9

France Model Requirements for the Management of Electronic Records, EU

Directive 95/46/EC

Germany Federal Data Protection Act, Model Requirements for the

Management of Electronic Records, EU Directive 95/46/EC

Japan Personal Data Protection Bill, J-SOX

Switzerlan

d

Swiss Code of Obligations articles 957 and 962

United

Kingdom

Data Protection Act, Civil Evidence Act 1995, Police and Criminal

Evidence Act 1984, Employment Practices Data Protection Code,

Combined Code on Corporate Governance 2003

13

http://www.itcinstitute.com/ucp/index.aspx

14

Regulatory Compliance and…

Impact: upper-level management is keenly aware of the need to comply, if not all of the details that involves.

Prosecution: being successfully prosecuted (see next slide) can result in huge fines and even imprisonment.

Cost: cost of complete compliance can be significant, but so can the cost of non-compliance. No longer easier just to ignore problems.

Durability: although there have been discussions about scaling back some laws (e.g. SOX), increasing regulations and therefore increasing time, effort, and capital will be spent on compliance.

That is, the issue will not just disappear if you ignore it long enough!

But, at the end of the day, ensuring exact compliance can be a gray area.

15

The Reality of Prosecution

Enron – In May 25, 2006 Ken Lay (former CEO) was found guilty of 10 counts against him. Because each count carried a maximum 5- to 10-year sentence, Lay could have faced 20 to 30 years in prison. However, he died while vacationing in about three and a half months before his scheduled sentencing. Jeff Skilling (another former CEO) was found guilty of 19 out of 28 counts against him, including one count of conspiracy, one count of insider trading. Skilling was sentenced to 24 years and 4 months in federal prison.

WorldCom – In June 2005, 800,000 investors were awarded $6 billion in settlements; the payouts will be funded by the defendants in the case, including investment banks, audit firms, and the former directors of WolrdCom. The judge in the case noted that the settlements were “of historic proportions.” Additionally, Bernard Ebbers, former CEO of WorldCom, was convicted of fraud and sentenced to 25 years in prison.

Tyco – In September 2005, Dennis Kozlowski (former Tyco CEO) and Mark Swartz (former Tyco CFO) were sentenced to 8 to 25 years in prison for stealing hundreds of millions of dollars from Tyco. Additionally, Kozlowski had to pay $70 million in restitution; Swartz $35 million.

Adelphia – In June 2005, John Rigas (founder and former CEO) was sentenced to 15 years in prison; his son, Tony, was also convicted of bank fraud, securities fraud, & conspiracy - he received a 20 year sentence.

HealthSouth – In March 2005, Richard Scrushy, founder and former CEO, was acquitted of charges relating to 1 $2.7 billion earnings over-statement. Scrushy blamed his subordinates for the fraud…

ROI?

16

But Business Benefits Do Exist

Source: Unisphere Research, OAUG Automating Compliance 2006 Survey

17

Why Should DBAs Care About Compliance?

Compliance starts with the CEO…

But the CEO relies on the CIO to ensure that IT processes are compliant

And the CIO relies on the IT managers One of whom (DBA Manager) controls the

database systems— Who relies on DBAs to ensure that data is

protected and controlled.

18

So What Do Data Mgmt Folks Need to Do?

Implement standard controls and methods for improving:

Data Quality Long-term Data Retention Database Security Database and Data Access Auditing DBA Procedures

…and this will require proper metadata management!

19

Issue #1: Data Quality

A recent SAS/Risk Waters Group survey indicated that 93% of respondents had experienced losses of $10 million in one year…

And 21% of respondents said that at some point, their company suffered a loss between $10,000 and $1,000,000 in a single day.

The prime reasons given for such losses were incomplete, inaccurate or obsolete data, and inadequate processes. Source: Gartner (April 2006)

20

Examples of Data Quality Regulations

The Data Quality Act (DQA)

Careful, it sounds better than it actually is.

Written by an industry lobbyist and slipped into a giant appropriations bill in 2000 without congressional discussion or debate

Basically consists of two sentences directing the OMB to ensure that all information disseminated by the federal government is reliable.

Sarbanes-Oxley

Financial reports must be ACCURATE

Without good data quality this is impossible.

21

Data Quality: Is it Really a Major Concern?

According to a PricewaterhouseCoopers' Survey of 452 companies, almost half of all respondents do not believe that senior management places enough importance on data quality.

How good is your data quality? Estimates show that, on average, data quality is suspect:

Payroll record changes have a 1% error rate;

Billing records have a 2-7% error rate, and;

The error rate for credit records: as high as 30%.

Similar studies in Computer World and the Wall Street Journal back up the notion of overall poor data quality.

W.M. Bulkeley, "Databases Are Plagued by Reign of Error," The Wall Street Journal,

26 May 1992, B2.

B. Knight, "The Data Pollution Problem," ComputerWorld,

28 September 1992, 81-84.

Source: T.C. Redman, Data Quality: Management and Technology, (New York, Bantam Books).

22

The High Cost of Poor Quality Data

“Poor data quality costs the typical

company at least ten percent (10%) of

revenue; twenty percent (20%) is probably

a better estimate.”

Source: Thomas C. Redman, “Data: An Unfolding Quality Disaster”,

DMReview Magazine, August 2004

Valid &Accurate?

23

Database Constraints

By building constraints into the database,

overall data quality may be improved:

Referential Integrity— Primary Key— Foreign Key(s)

UNIQUE constraints CHECK constraints Triggers Domains

24

Data Profiling

With data profiling, you can:

Discover the quality, characteristics and potential problems of information before beginning data-driven projects

Drastically reduce the time and resources required to find problematic data

Allow business analysts and data stewards to have more control on the maintenance and management of enterprise data

Catalog and analyze metadata and discover metadata relationships

25

Issue #2: Long-Term Data Retention

The average installed storage capacity at Fortune 1000 corporations has grown from 198TB to 680TB in less than two years.

This is a growth rate of more than 340% as capacity continues to double every 10 months.

Source: TIP (TheInfoPro). 2006 www.theinfopro.net

26

More Data, Stored for Longer Durations

Am

ou

nt

of

Data

Time Required

Complia

nce Pr

otect

ion

0 30+ Yrs

Data Retention Issues:

Volume of data (125% CAGR)

Length of retention requirement

Varied types of data

Security issues

27

Data Retention Drives Data(base) Archiving

Data Retention Requirements refer to the length of time you need to keep data

Determined by laws – regulatory compliance More than 150 state and federal laws Dramatically increasing retention periods for

corporate dataDetermined by business needs

Reduce operational costs Large volumes of data interfere with

operations: performance, backup/recovery, etc.

Isolate content from changes Protect archived data from

modification

28

Regulatory Compliance & Data Retention Requirements

29

Market Drivers – eDiscovery

Regulators

Litigators

30

E-Discovery

Electronic evidence is the predominant form of discovery today. (Gartner,Research Note G00136366)

Electronic evidence could encompass anything that is stored anywhere. (Gartner,Research Note G00133224)

When data is being collected (for e-discovery) it is imperative that it is not changed in any way. Metadata must be preserved… (Gartner,Research Note G00133224)

Gartner Strategic Planning Assumption: Through 2007, more than half of IT organizations and in-house legal departments will lack the people and the appropriate skills to handle electronic discovery requirements (0.8 probability). (Gartner,Research Note G00131014)

31

Precedent has been Established

Quinby v. Westlb AG,, 2005 U.S. Dist. (S.D.N.Y. Dec. 15, 2005).

$3M to restore over 3,700 backup tapes

Zubulake v. UBS Warburg LLC,, 2003 U.S. Dist. (S.D.N.Y. July 24,

2003).

$273,649 to restore, review and produce 77 backup tapes

32

What “Solutions” Are Out There?

Keep Data in Operational Database— Problems with authenticity of large amounts of

data over long retention times— Operational performance degradation

Store Data in UNLOAD files (or backups)— Problems with schema change and reading archived data— Using backups poses even more serious problems

Move Data to a Parallel Reference Database— Combines problems of the previous two

Move Data to a Database Archive

33

Components of a Database Archiving Solution

Data DataExtract Recall

Archive data store and retrieveMetadata

capture, design,maintenance

Archive dataquery and

access

Archive administration

datametadata

Archive

Databases

metadatapolicieshistory

Database Archiving: The process of removing selected data records from operational databases that are not expected to be referenced again and storing them in an archive data store where they can be retrieved if needed.

Purge

34

Precedent has been Established

Kleiner v. Burns, 2000 U.S. Dist., 48 Fed. R. Serv. 3d (Callaghan) 644 (D. Kan. Dec. 22, 2000).

In granting the motion to compel, the court noted that "computerized data and other electronically-recorded information" includes, but is not limited to: voice mail messages and files; backup voice mail files; email messages and files; backup email files; deleted emails, data files, program files, backup and archival tapes; temporary files, system history files; website information stored in textual, graphical or audio format; website log files, cache files, cookies, and other electronically-recorded information.

35

Needs for Database Archiving

Policy based archiving: logical selection

Keep data for very long periods of time

Store very large amounts of data in archive

Maintain archives for ever changing operational systems

Become independent from Applications/DBMS/Systems

Become independent from Operational Metadata

Protect authenticity of data

Access data directly in the archive when needed; as needed

Discard data after retention period

36

Issue #3: Data and Database Security

75% of enterprises do not have a DBMS security plan.

A single intrusion that compromises private data can cause immense damage to the reputation of an enterprise — and in some cases financial damage as well.

Database configurations are not secure by default, and they often require specialized knowledge and extra effort to ensure that configuration options are set in the most secure manner possible.

Source: Forrester Research, “Comprehensive Database Security…”

Source: Forrester Research, “Your DBMS Strategy 2005”

Source: Forrester Research, “Comprehensive Database Security…”

37

Obstacles to Database Security

Source: Forrester Research, “Comprehensive Database Security…”

38

Data Breaches: A Threat to Your Data

Privacy Rights Clearinghouse

Since 2005:

In excess of 150 million total records150 million total records containing sensitive personal information were exposed due to data security breaches…

— ChoicePoint: (Feb 15, 2005) – data on 165,000 customers breached— Since then, there have been 150,921,674 total records breached that

contained sensitive personal information*

http://www.privacyrights.org/ar/ChronDataBreaches.htm

* As of Feb 27, 2007, reported by http://www.privacyrights.org/ar/ChronDataBreaches.htm

* As of July 24, 2007

39

Database Security Issues in a Nutshell

Authentication Who is it?

Authorization Who can do it?

Encryption Who can see it?

Audit Who did it?

40

Security From a DB2 Perspective

41

42

Database Security

Who has access to high-level “roles”: Install SYSADM, SYSADM, SYSCTRL, DBADM, etc.

Auditors will have issues with this, but it is difficult, if not impossible, to remove.

Do any applications require DBA-level authority? Why?

Security monitoring

Data Access Auditing (more on this in a moment) Additional tools

43

SYSADM and Install SYSADM

Install SYSADM bypasses the DB2 Catalog when

checking for privileges.

So, there are no limits on what a user with Install SYSADM authority can do.

And it can only be removed by changing DSNZPARMs

Basically, needed for catalog and system “stuff”

SYSADM is almost as powerful, but:

It can be revoked Biggest problem for auditors: SYSADM has

access to all data in all tables.

44

Suggestions

• Limit the number of SYSADMs

And audit everything those users do.

• Consider associating Install SYSADM with a

group (RACF)

Authids that absolutely need Install SYSADM can be connected to the group using secondary authids.

• Similar issues with SYSOPR and Install

SYSOPR

45

Data Encryption Considerations

California's SB 1386 protects personally identifiable information; obviously it doesn't matter if encrypted data becomes public since it's near impossible to decrypt.

Types of encryption At Rest In Transit

Issues Performance

— Encrypting and decrypting data consumes CPU Applications may need to be changed

— See next slide for DB2 V8 encryption functions

Source: “Encryption May Help Regulatory Compliance” Edmund X. DeJesus, SearchSecurity.com

46

DB2 V8: Encryption / Decryption

Encryption: to encrypt the data for a column

ENCRYPT_TDES [can use ENCRYPT() as a synonym for compatibility]

Triple DES cipher block chaining (CPC) encryption algorithm— Not the same algorithm used by DB2 on other platforms

128-bit secret key derived from password using MD5 hash

Decryption: to decrypt the encrypted data for a column

Can only decrypt expressions encrypted using ENCRYPT_TDES— Can have a different password for each row if needed

Without the password, there is no way to decrypt

ENCRYPT_TDES(string, password, hint)

DECRYPT_BIT(), DECRYPT_CHAR(), DECRYPT_DB()

INSERT INTO EMP (SSN)VALUES(ENCRYPT('289-46-8832','TARZAN','? AND JANE'));

SELECT DECRYPT_BIT(SSN,'TARZAN') AS SSN FROM EMP;

ExitRoutine?

47

DB2 9 for z/OS: Encryption in Transit

DB2 9 supports SSL by implementing z/OS Communications Server IP Application Transparent Transport Layer Security (AT-TLS)

AT-TLS performs transport layer security on behalf of DB2 for z/OS by invoking the z/OS system SSL in the TCP layer of the TCP/IP stack

When acting as a requester, DB2 for z/OS can request a connection using the secure port of another DB2 subsystem

When acting as a server, and from within a trusted context SSL encryption can be required for the connection

48

Issue #4: Auditing

In a world replete with regulations and threats, organizations have to go well beyond securing their data. Essentially, they have to perpetually monitor their data in order to know who or what did exactly what, when and how –- to all their data.

HIPAA, for example, requires patients to be informed any time someone has even looked at their data.

Source: Audit the Data – or Else: Un-audited Data Access Puts Business at High Risk. Baroudi-Bloor, 2004.

49

Database and Data Access Auditing

An audit is an evaluation of an organization, system, process, project or product.

Database Control Auditing— Who has the authority to…

Database Object Auditing— DCL: GRANT, REVOKE— DDL: CREATE, DROP

Data Access Auditing— INSERT, UPDATE, DELETE— SELECT

50

Regulations Impacting Database Auditing

2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.)

5. Accounts, Roles &

Permissions (Entitlements)

4. Security Exceptions

(Failed logins, SQL errors, etc.)

3. Data Changes (DML)

(Insert, Update, Delete)

(OMB)

1. Access to Sensitive

Data (Successful/Failed

SELECTs)

NIST

800-53

(FISMA)

NER

C

ISO

17799

(Basel

II)

GLB

A

CMS

ARSHIPAA

PCI

DSS

CobiT

(SOX)

Audit

Requirements

51

How to Audit Database Access?

1. DBMS traces

2. Log based

3. Network sniffing

4. Capture requests at the server

52

DB2 Audit Trace

The DB2 Audit Trace can record:

Changes in authorization IDs Changes to the structure of data (such as dropping a table)

Changes to data values (such as updating or inserting data)

Access attempts by unauthorized IDs Results of GRANT statements and REVOKE

statements Mapping of Kerberos security tickets to IDs Other activities that are of interest to auditors

Audit Trace Classes are listed on page 287, Admin Guide

-START TRACE (AUDIT) CLASS (4,6) DEST (GTF) LOCATION (*)

CREATE TABLE . . . AUDIT ALL . . .

53

Limitations of the audit trace

The audit trace doesn’t record everything:

Auditing takes place only when the audit trace is on.

The trace does not record old data after it is changed (the log records old data).

If an agent or transaction accesses a table more than once in a single unit of recovery, the audit trace records only the first access.

The audit trace does not record accesses if you do not start the audit trace for the appropriate class of events.

The audit trace does not audit some utilities. The trace audits the first access of a table with the LOAD utility, but it does not audit access by the COPY, RECOVER, and REPAIR utilities. The audit trace does not audit access by stand-alone utilities, such as DSN1CHKR and DSN1PRNT.

The trace audits only the tables that you specifically choose to audit.

You cannot audit access to auxiliary tables.

You cannot audit the catalog tables because you cannot create or alter catalog tables.

54

Using the Log?

How to review the changes made to large financial databases… or to any databases under the purview of

regulations? The transaction log(s) capture ALL changes made to ALL

data.

Database

DBMS

Transaction Log(s)

SQLChanges

55

Issues With Database Log Auditing & Analysis

The trick is to be able to decipher the information contained in the database logs

Log format is proprietary Volume can be an issue

— Pinpoint transactions

Easy access to online and archive logs? Dual usage?

— Recovery and protection— Audit

Tracks all database modifications, but what about reads?— Data Manipulation (DML)— Data Definition (DDL)— Data Control (DCL)

56

Network Sniffing

Another approach “sniffs” packets as they

are sent across the network (client/server

tools)

SQL statements are identified and tracked Audit reports can be generated against the SQL

network traffic Problem: what if the DB2 for z/OS request does

NOT go over the network (e.g. CICS transaction)— Network sniffers cannot capture this type of

request

57

Auditing Has to be at the Server Level

If you are not capturing all pertinent access

requests at the server level, nefarious users

can sneak in and not be caught.

58

Bottom Line

Database auditing software can produce useful

reports on database activities, but beware:

Reads are problematic and are not stored on the database transaction log

Auditing software can resolve many of the issues with transaction log based auditing

Many of the tools today that purport to work with mainframe data only “audit” client/server access

— That is, they are network sniffers and will not show, for example, CICS transactions that access DB2 for z/OS

59

Issue #5: Management & Admin Procedures

Are changes made to your database environment using standard methods and in a controlled manner?

Are your databases properly backed up and recoverable within the timeframe mandated by your business (and any regulations)?

60

CobiT and Change Management

Control Objectives

Changes to data structures are authorized, made in

accordance with design specifications and are

implemented in a timely manner.

Changes to data structures are assessed for their impact

on financial reporting processes.

“Unauthorized change is one of the best (and worst) ways

to get your auditor’s attention.”

Source: Scheffy, Brasche, & Greene, IT Compliance for Dummies,

(2005, Wiley, ISBN 0-471-75280-0)

61

SOX Compliance Requirement for Database Change Management

Changes to the database are widely communicated, and their impacts are known beforehand.

Installation and maintenance procedure documentation for the DBMS is current.

Data structures are defined and built as the designer intended them to be.

Data structure changes are thoroughly tested.

Users are apprised, and trained if necessary, when database changes imply a change in application behavior.

The table and column business definitions are current and widely known.

The right people are involved throughout the application development and operational cycles.

Any in-house tools are maintained and configured in a disciplined way.

Application impacts are known prior to the migration of database changes to production.

Performance is maintained at predefined and acceptable levels.

The database change request and evaluation system is rational.

Turn-around time on database changes is predictable.

Any change to the database can be reversed.

Database structure documentation is maintained.

Database system software documentation is maintained.

Migration through development, test, and especially, production environments is rational.

Security controls for data access is appropriate and maintained.

Database reorganizations are planned to minimize business disruption.

Source: SOX Requirements for DBAs in Plain English by James McQuade http://www.dbazine.com/ofinterest/oi-articles/mcquade2

62

Database Change Management

Databases protected with controls to prevent unauthorized changes

Proper security for DBAs - including access to tools

Ensure controls maintained as changes occur in applications, software, databases, personnel

Maintain user ids, roles, access Ability for replacement personnel to perform work Test processes Change control logs to prove what you said was done, has been

done Backout procedures Reduce system disruptions Accurate and timely reporting of information

Routine, non-routine, emergency process defined and documented

Complex and trivial changes follow the same procedures?

63

And it all Requires…

As data volume expands and more regulations hit

the books, metadata will increase in importance

Metadata: data about the data Metadata characterizes data. It is used to provide

documentation such that data can be understood and more readily consumed by your organization. Metadata answers the who, what, when, where, why, and how questions for users of the data.

Data without metadata is meaningless

Consider: 27, 010110, JAN

64

Data Categorization

Data categorization is critical

Metadata is required to place the data into proper categories for determining which regulations apply

— Financial data SOX— Health care data HIPAA— Etc.

Some data will apply to multiple regulations Who does this now at your company? Anyone?

65

Convergence of DBA and DM

Database Administration

— Backup/Recovery

— Disaster Recovery

— Reorganization

— Performance Monitoring

— Application Call Level Tuning

— Data Structure Tuning

— Capacity Planning

Managing the database environmentManaging the content and uses of data

Data Management

— Database Security

— Data Privacy Protection

— Data Quality Improvement

— Data Quality Monitoring

— Database Archiving

— Data Extraction

— Metadata Management

66

Data Management DBA

Very well defined tasks

Very well defined Job Title and Description

Functions fall entirely in IT

Overwhelming vendor support

DBMS architectures fully supportive

Must be done well to support efficient operational environment

Tasks definitions are emerging

No standard Job Titles or Descriptions

Aligned with business not just IT

Little Vendor Support

DBMS architectures built without consideration of DM

IT management has not been supportive (NMP)

Executive management has not been supportive

Companies have accrued many penalties for not paying attention to DM requirements

67

So, What is the Impact of Regulatory Compliance?

Data Management vs. Database Administration

Data Governance

Business acumen vs. bits-and-bytes

Can’t abandon technical skills, but must add more soft skills to your bag of tricks

Communication and Inter-organizational Cooperation

IT, Lines of Business, Legal

68

Challenges: Compliance & Database Management

Source: Unisphere Research, OAUG Automating Compliance 2006 Survey

69

But Do Not Despair

According to CIO Magazine (September 15,

2007):

69% do not keep accurate inventory of user data

67% do not keep an accurate inventory of where data is stored

33% of all enterprises are NOT in compliance with Sarbox, HIPAA or state privacy laws

…by 2008, less than 10% of organizations will succeed at their first attempts at data governance because of cultural barriers and a lack of senior-level sponsorship.

Source: Gartner, Inc. as reported by the web portal SearchDataManagement

70

Web References

Industry Organizations and References

www.itcinstitute.com www.isaca.org www.coso.org www.aicpa.org/news/2004/2004_0929.htm www.auditnet.org/sox.htm www.itgi.org www.sox-online.com/coso_cobit.html www.bis.org/publ/bcbs107.htm - (Basel II) www.snia-dmf.org/100year

71

Some Recommended Books

Implementing Database Security and Auditing by Ron Ben Natan (2005, Elsevier Digital Press, ISBN: 1-55558-334-2)

Manager’s Guide to Compliance by Anthony Tarantino (2006, John Wiley & Sons, ISBN: 0-471-79257-8)

IT Compliance for Dummies by Clark Scheffy, Randy Brasche, & David Greene (2005, Wiley Publishing, Inc., ISBN: 0-471-75280-0)

Cryptography in the Database: The Last Line of Defense by Kevin Kenan (2006, Addison-Wesley, ISBN: 0321-32073-5)

Electronic Evidence and Discovery: What Every Lawyer Should Know by Michele C.S. Lange and Kristin M. Nimsger (2004, ABA Publishing, ISBN: 1-59031-334-8)

72

Craig S. Mullins

NEON Enterprise Software

craig.mullins@neonesoft.com

www.neonesoft.com

www.craigsmullins.com

www.DB2portal.com